DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 12th October 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Another type of outbound traffic to consider blocking out of hand -- outbound SMTP to any addresses other than your recognized upstream MTAs. This will stop many forms of spambot.
Reply With Quote
Old 25th November 2012
Trihexagonal's Avatar
Trihexagonal Trihexagonal is offline
Port Guard
 
Join Date: May 2012
Posts: 16
Default

Mine is basically the same as everyone else's:

Code:
### macro name for external interface.
ext_if = "fxp0"
netbios_tcp = "{ 13, 22, 23, 37, 107, 111, 113, 512, 513, 514 }"

### Pass loopback
set skip on lo

### Reassemble fragmented packets
match in all scrub (no-df)

### Default deny everything rule
block log all

### Block spoofy
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block specific ports
block in on ! lo0 proto tcp to port 6000:6010
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
I scanned my OpenBSD machine from my FreeBSD box on the lan and it showed TCP ports 13, 37, and 113 open by default on my installation so I added those to the ports I normally block. I didn't see where to disable those services so I just blocked the ports. I don't use SSH so I have TCP 22 blocked as well.

I'm behind a pfSense hardware firewall so running pf on my machines may be somewhat redundant but I wouldn't have it any other way. Unlike some people who claim a firewall isn't necessary if you don't have any open ports and don't see the benefits of not responding to ping or returning a stealth status when scanned.
Reply With Quote
Old 25th November 2012
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

grep your /etc/services file for the ports in question. You'll find that they are daytime, auth ident, and time.

inetd manages these services, so you can modify /etc/inetd.conf to disable them (I'm assuming you aren't intending to serve them if you don't recognize them), then restart inetd ("pkill -HUP inetd").
__________________
Network Firefighter
Reply With Quote
Old 25th November 2012
Trihexagonal's Avatar
Trihexagonal Trihexagonal is offline
Port Guard
 
Join Date: May 2012
Posts: 16
Default

Quote:
Originally Posted by ai-danno View Post
grep your /etc/services file for the ports in question. You'll find that they are daytime, auth ident, and time.

inetd manages these services, so you can modify /etc/inetd.conf to disable them (I'm assuming you aren't intending to serve them if you don't recognize them), then restart inetd ("pkill -HUP inetd").
I knew what services used those ports, just not right offhand where to turn them off. Those services aren't enabled by default on FreeBSD and I didn't see them in /etc/rc.conf so it was just a matter of not knowing where to look.

Thanks for letting me know.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples s2scott Guides 2 23rd May 2008 06:16 PM


All times are GMT. The time now is 10:45 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick